I have created the SDK and now want to integrate oauth for authentication process. Now I want to do same as Facebook SDK do, if client app is already installed and login, it switch to that app ask for permission and switch back to app who wants to authorise it. if client app is not there is will open the webpage and on login ask for permission and then redirect to my app after login.
We have implemented the oauth on server but not sure which grant_type we will use to achieve the above functionality. We can not store the password in client app.
Let me know if anyone has idea how to achieve this functionality and implementing the same flow as other SDKs(Facebook, Twitter) does.
For mobile based apps use the following URL for authentication:
POST https://api.example.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID
Pass the authentication code from the app if user is login else if user is not login first navigate to login page, on successful login authorization page come as-usual.
NOTE: It might be unsecure as we are sending the code in query param, but doing it in request over ssl enhanced security.
For browser authentication
https://example.com/auth?response_type=token& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos
where authentication picks the login session if user is already login.
I think you already answered your own question when you said "I want to do same as Facebook SDK does".
Facebook SDK provides the framework for detecting if Facebook application is installed in order to avoid signing up through WebView interface. Google also provides an authentication and authorization API through Google+ sign instead of a browser. As you can see:
the documentation suggests using the right device infrastructure rather than the system browser.
According to this post, it is possible detecting programmatically check if an application is installed. For Android, I think that boths SDK check if their related apps are installed when you trigger the sign up/in/out process and invoke the system browser if necessary.
Thus, in order to provide a generic OAuth 2.0, you also could do the same programmatically, but I guess that drilling this information, pick the right application, and launch it won't be an easy task.
Related
I am writing an Android app that makes calls to a REST Api. The user must be logged in and in order to do so, he must authenticate on the server which in turn redirects to the Identity Provider of my university.
My idea was to let the user log in via the android in-app browser and then extract the session cookie (and csrf, if necessary) into the app's AbstractAccountAuthenticator once the user is logged in.
How can I do this? I would also be happy about some helpful links. And secondly, is my way really the way to go?
Sorry for the misleading title, but here's I want to do:
Say I have an already running website AwesomeWeb, which authenticate its users using username/password combination. Now I want to develop a mobile app AwesomeApp for it, and at the same time, develop and open up its RESTful API - AwesomeAPI.
To keep things simple, I plan to authorize AwesomeAPI using OAuth2, and make AwesomeApp the first client/application.
But I DO wish AwesomeApp to have a simple sign-in process: input username/password -> click the button -> done. In other words, have a 'non-web' feel just like Facebook or Twitter does.
For those 3rd party mobile apps that want to access resources (like username) through AwesomeAPI, it should embed a button somewhere in the app, which opens AwesomeApp to display a 'allow/deny' page when clicked. Again, this is what Facebook and Twitter app doing.
OK, here's the questions:
At step 3, what do I use: webview or doing http stuffs background or just use OAuth2 password grant type? Pros vs. cons?
After step 3, I get an access token for AwesomeApp. But this token CANNOT be used in step 4 to issue an access token for some 3rd party app, am I right? If so, how to achieve step 4?
Appreciate your help a lot!
Notes: I'm not asking for OAuth2 flow or inter-app communication.
Regardless of whether you achieve the step 3 by implementing "Resource Owner Password Credentials" flow defined in RFC 6749 (OAuth 2.0) or by other means, the authentication should be performed in the background. Note that in "Resource Owner Password Credentials" flow, a client application does not access the authorization endpoint but accesses the token endpoint directly, so the authorization UI (which is supposed to be shown at the authorization endpoint) is not displayed.
To achieve the step 4, you have to implement "Authorization Code" flow or "Implicit" flow.
I'm building an application which consists of a mobile client (Android native app) that will connect to my rails application. I need a way for users to signin and signup to my rails app using the android app. So I installed doorkeeper and devise gems on my rails app and followed the instructions here to see how things work. As you can see in the authorization code flow page there are multiple steps such as registering the client, requesting authorization, requesting the access token.
My question is how do I perform all these steps from my android app. Any help is much appreciated. Thanks
For registration (sign up) you can create a method in the user controller that does just that. Or you can customise Devise's sign_up page to look better in a mobile view and do the registration in a webview in the app.
As for Doorkeeper, either follow the usual flow as linked by you or give it a simpler approach. What I did was to
activate the refresh token - this will allow a user to get his access token and his refresh token, token used to regenerate the access token once it expires. This way you don't retain the user's login registration on your app, just the tokens.
white label some apps in config/initializers/doorkeeper.rb by using the skip_authorization to allow auto authorisation of some particular apps. You can allow auto authorisation to all the apps but I'd recommend you just whitelist some of them:
skip_authorization do |client|
whitelisted_apps = ['app1_id', 'app2_id']
whitelisted_apps.include? client.application.uid
end
I hope this helps.
I followed the tutorial here: https://developers.facebook.com/docs/mobile/android/build/#enablesso
I am able to authenticate on the android side, but what I want to do is to use SSO or some sort of authentication using facebook [preferrably OAuth] to authenticate against my web application on GAE. I expect it to work something like this: blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
This is the sort of flow I expect:
The user starts my app, and is prompted with an option to authenticate to FB.
The FB app/web dialog opens and asks the user to confirm permissions to be given to my app.
Once that is done, FB provides me with a cookie [or something similar].
I use that cookie for subsequent requests to my web service, where I can get the username simply using:
user = oauth.get_current_user()
user.nickname()
Is anything like this possible? The problem I face is that while performing SSO, there is no place where I specify an OAuth end point. GAE provides OAuth endpoints [http://code.google.com/appengine/docs/python/oauth/overview.html], which I think I should be using. Any clue as to how I can proceed about this?
Any help is appreciated. Regards, rohan
You need to implement the server-side authentication flow: http://developers.facebook.com/docs/authentication/
I implemented it in Java: see the LeanEngine oss project. You could probably reuse the android client part: the login dialog.
I'm thinking this may not be possible... but I have an Android application that is using the Facebook Graph API to get some information. They can tap the view there and open up a browser with a full-fledged Facebook page, but it asks the user to log in again.
I'd like to be able to skip the initial sign in (I know the browser can remember your login). Is there a way I can use the OAuth token from the Graph API to authorize for the Facebook web page?
I did try appending "access_token=..." to the query string, but that was fruitless.
You can reuse the facebook OAuth token on other platforms like this.
https://graph.facebook.com/me?access_token=here comes your accesstoken
Off course you will only be able to call api functions (and only those where you have permission for)
I'm not aware of a permission that allows you to do a full-fledged web-site login :-).